Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 26 Jul 2016 15:22:45 -0400 (EDT)
Subject: Re: CVE Request: Any User Can Panic Kernel Through Sysctl on OpenBSD

Hash: SHA256

> Any user can panic the kernel by using the sysctl call. If a
> user can manage to map a page at address zero, they may be able
> to gain kernel code execution and escalate privileges (OpenBSD fortunately prevents this by default).
> Description:
> When processing sysctl calls, OpenBSD dispatches through a number
> of intermediate helper functions. For example, if the first integer
> in the path is 10, sys_sysctl() will call through vfs_sysctl() for
> further processing. vfs_sysctl() performs a table lookup based on
> the second byte, and if the byte is 19, it selects the tmpfs_vfsops
> table and dispatches further processing through the vfs_sysctl method:
>     if (name[0] != VFS_GENERIC) {
>         for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next)
>             if (vfsp->vfc_typenum == name[0])
>                 break;
>         if (vfsp == NULL)
>             return (EOPNOTSUPP);
>         return ((*vfsp->vfc_vfsops->vfs_sysctl)(&name[1], namelen - 1,
>             oldp, oldlenp, newp, newlen, p));
>     }
> Unfortunately, the definition for tmpfs_vfsops leaves this method NULL:

> struct vfsops tmpfs_vfsops = {
>     NULL,               /* vfs_sysctl */

> Trying to read or write a sysctl path starting with (10,19) results
> in a NULL pointer access and a panic of
> "attempt to execute user address 0x0 in supervisor mode".
> Since any user can perform a sysctl read, this issue can be abused
> by any logged in user to panic the system.
> Fortunately, OpenBSD intentionally prevents users from attempting to map a page
> at the NULL address. If an attacker is able to get such a mapping,
> they may be able to cause the kernel to jump to code mapped at this
> address (if other security protections such as SMAP/SMEP aren't in place).
> This would allow an attacker to gain kernel code execution and
> escalate their privileges.
> Reproduction:
> Run the PoC sysctl_tmpfs_panic.c program. It will pccess
> the (10,19,0) sysctl path and trigger a panic of
> "attempt to execute user address 0x0 in supervisor mode".
> NCC Group was able to reproduce this issue on OpenBSD 5.9 release
> running amd64.
> Recommendation:
> Include a NULL-pointer check in vfs_sysctl() before dispatching to
> the vfs_sysctl method. Alternately, include a vfs_sysctl method
> in the tmpfs_vfsops table.
> Fixed:

>     int name[] = { 10, 19, 0 }; // vfs.tmpfs.0
>     char buf[16];
>     size_t sz = sizeof buf;
>     int x;
>     x = sysctl(name, 3, buf, &sz, 0, 0);

Use CVE-2016-6350.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ